Академический Документы
Профессиональный Документы
Культура Документы
Contributors:
Editor:
Company
Andr Egners
RWTH
egners@umic.rwth-aachen.de
Enno Rey
ERNW
erey@ernw.de
Hendrik Schmidt
ERNW
hschmidt@ernw.de
Peter Schneider
NSN
peter.schneider@nsn.com
Sascha Wessel
FHG AISEC
sascha.wessel@aisec.fraunhofer.de
Partners:
Cassidian Systems
ERNW Enno Rey Netzwerke GmbH
Fraunhofer Research Institution for Applied and Integrated
Security (AISEC)
Hochschule Augsburg
Nokia Siemens Networks GmbH & Co KG
RWTH Aachen
Associated Partners:
Executive Summary
This paper documents the threat and risk analysis for mobile communication networks and
mobile terminals that has been carried out by the ASMONIA consortium. The analysis covers
on one side various types of mobile terminals and on the other side mobile communication
networks according to the architecture specified by 3GPP, i.e. GSM, UMTS and in particular
LTE/SAE networks.
For the purpose of this analysis generic threat categories have been defined. Using these
threat categories, the different assets (i.e. components of the mobile network) have been
assessed according to a common method, which is specified in this document. This
assessment method comprises the estimation of the likelihood of attacks, the overall
vulnerability of the assets, and the impact of successful attacks on the network in a
qualitative way. From these factors, a risk value is calculated that allows to compare the
significance of the different threats and to give a ranking of the different network elements
according to the risk they are exposed to.
The assessments were performed by groups of experts, selected according to the required
expertise on each asset. In some cases, the theoretical analysis was complemented by
practical penetration testing, e.g. attacks on network elements were carried out in lab
environments.
The results of the analysis show that there are significant differences in the risks associated
to different network elements. The highest risks are related to base stations, to the short
message service, to core network elements that aggregate large amounts of user plane
traffic, to the IP multimedia subsystem and to servers used for operation and maintenance of
the network. For mobile terminals, the analysis displays high risks for the devices and their
users as well. Compromise of a mobile terminal, e.g. via user installed software, which turns
out to be malicious, constitutes a quite substantial threat for the affected user. A compromise
of a large set of mobile terminals, leading to the establishment of a mobile botnet, can easily
endanger a whole mobile network.
It can be concluded that security concepts for mobile terminals and mobile communication
networks, including improved attack analysis concepts, as explored in the ASMONIA project,
are of vital importance to counter the various threats and reduce the security risks of future
mobile network infrastructures.
Table of Contents
1 Introduction
11
11
11
11
11
12
12
12
12
12
13
13
13
13
13
14
15
15
16
17
18
3 Threat Categories
19
19
20
23
24
4.1 Terminals
4.1.1 Baseband Part
4.1.1.1 Hardware and Software Architecture (Modem)
4.1.1.2 Subscriber Identification Module (SIM)
4.1.1.3 Security Goals of GSM
4.1.1.4 Attacks on GSM Security
4.1.1.5 UMTS Security
4.1.1.6 Attacks on UMTS
4.1.1.7 Fuzzing Baseband Implementations
4.1.2 Applications Part
4.1.2.1 Machine-to-Machine
4.1.2.2 Feature Phones or Simple Mobile Phones
4.1.2.3 Mobile Operating Systems for Smart Phones
4.1.2.4 Comparison of the Security Features of the Most Popular Operating Systems for
Current Smart Phones: Android, iOS and Windows Phone 7
4.1.2.5 PCs with 3G/4G Module
24
25
27
27
28
31
39
39
40
43
43
44
49
75
87
87
89
89
90
90
90
91
91
91
92
92
92
107
110
118
120
121
122
122
127
129
131
133
134
134
136
137
137
137
139
142
145
147
147
149
150
152
152
155
157
157
159
162
162
164
5 Mobile Botnets the Next Large Scale Threat to the Mobile Business
168
168
170
170
170
171
171
172
173
6 Conclusion
174
References
178
Abbreviations
185
Revision History
189
192
1 Introduction
It is well known that IP based networks are exposed to various threats. Attacks on such
networks are launched aiming at the theft of information, the distortion of information,
destroying information or software on hosts or making information or services unavailable.
Mobile networks of the second and third generation, i.e. GSM and UMTS networks, used to
be largely based on TDM/ATM transport networks in their wired part. However, such legacy
transport techniques are more and more replaced by packet transport, e.g. Carrier Ethernet
and IP/MPLS networks. The fourth generation of mobile communication networks, which is
currently at the beginning of its deployment phase, makes full use of IP based transport
networks. For example, the 3GPP specified 4G mobile network, called Evolved Packet
System (EPS), applies IP based transport on all interfaces (except for the radio interface),
and all user plane traffic, including voice, is based on IP, i.e. no circuit switched service is
provided anymore.
Consequently, future mobile communication networks will be increasingly exposed to the
various threats known for IP based networks, and there is no doubt that also new, currently
unknown attacks will be mounted, targeted specifically against the network elements and
services of mobile communication networks.
Similarly, terminals, i.e. mobile phones, have significantly changed during the last years.
While earlier mobile phones supported voice and a limited set of data applications, today's
smart phones are rather mobile computers than voice handsets. They are more and more
dominated by data applications that require significant local computing resources as well as
a constant interconnection to the Internet. Very similar to personal computers, they are
increasingly threatened by all kinds of malware, like worms, viruses, or trojans. This is a
threat not only to the users of such mobile terminals, but also to the mobile network
operators (MNOs) and the community of users of the mobile network infrastructure, because
powerful terminals can substantially endanger mobile communication networks, if a high
number of them are abused for mounting attacks against the network. For example, a future
botnet of smart phones may be able to execute a so called Denial of Service (DoS) attack,
i.e. exploit some weaknesses in the implementation of a mobile communication network in a
way that renders the mobile network or parts of it unavailable.
While it is rather obvious that future IP networks will be endangered by various threats, it is
less clear, which threats will be the most significant ones and which network elements will be
most endangered. As such knowledge is highly relevant for guiding the efforts to secure
future mobile communication networks, both in research and in implementation and
deployment of security measures, the ASMONIA project has taken up the task to perform a
thorough threat and risk assessment for mobile communication networks and mobile
terminals.
This threat and risk assessment aims at future 4.Generation (4G) networks and terminals.
Officially, 4G networks are networks that comply with the requirements of the ITU-R's IMTAdvanced initiative. End of 2010, the ITU-R has decided that two technologies will be
accorded the official designation of IMT-advanced:
Of these two technologies, LTE-advanced is the one that is the natural evolution step for
current mobile networks, including GSM and UMTS but also CDMA2000. WirelessMANadvanced would be an evolution step for current WiMAX based networks. As
10
11
12
13
2.2.1 Definitions
According to [ISO13335-4, p.4] we define a threat as "a potential cause of an incident that
may result in harm to a system or organization" and a vulnerability as "a weakness of an
asset or group of assets that can be exploited by one or more threats". To describe an
Based on AS/NZS 4360 which in turn is regarded as a major contribution to the mainstream concept
of risk in the 20th century.
The definition of the term "risk" within ISO 31000 is taken from ISO GUIDE 73:2009 and it can be
expected that future versions of ISO 27005 will incorporate this definition (and the underlying idea) as
well.
4
It should be noted that the terms (and concepts) of "risk" and "uncertainty" might dispose of some
duality on their own (see [COFTA07, p. 54ff.] for a detailed discussion on this). Still, we strictly follow
the ISO 73 approach here.
5
Where "assessing them" is one step in "dealing with risks".
6
[COFTA07, p.29] employs the concept of a "transactional horizon" to express the inherent limitations.
7
ISO 31010] gives an overview of risk assessment techniques.
14
Use of a well-defined threat catalogue (usually one and the same at different points of
execution) which might be provided by an industry association, a standards body or a
government agency regulating a certain industry sector. While this may serve the
common advantages of a standards based approach (accelerated setup of overall
procedure, easy acceptance within peer community etc.), [ISO31010, p. 31] lists
some major drawbacks of this course of action, laying out that check-lists8
o
address the 'known knowns', not the 'known unknowns' or the 'unknown
unknown'.
tend to be observation based, so miss problems that are not readily seen.
Within the ASMONIA project it was therefore agreed upon to follow the latter approach
(individual threats, depending on context), with the stated goal of performing the identification
of relevant threats "as precisely as possible and affordable". The threats used in the present
document are described in chapter 5.
2.2.3 Factors Contributing to a Risk
ISO 27005 (currently, that is as of 2008) defines information security risk as the
"potential that a given threat will exploit vulnerabilities of an asset [...] and
thereby cause harm to the organization".
Following this, three main factors contribute to the risk associated with a given threat:
Looking at the description of check-lists in ISO 31010, it becomes clear that they designate what is
called threat catalogues in other contexts.
Copyright 2012 ASMONIA consortium. All rights reserved.
15
When thinking about threats, this allows to differentiate between "external phenomena" (attacks happen, malware is around, hardware fails occasionally, humans
make errors) and "internal conditions" ("in this environment there's protection against
certain attacks", "our malware controls might be insufficient", "we don't have
clustering of some important servers", "our change control procedures are
circumvented too often").
This differentiation allows for governance and steering in the phase of risk treatment
("one can't change [the badness of] the world, but one can mitigate the vulnerability
[conditions]"; which then is expressed by a diminished vulnerability factor and
subsequently reduced overall risk). In case of the present document this means that
the reader will be enabled to modify the vulnerability factor for a particular (e.g. the
reader's own) environment and still be able to get meaningful results.
In the ASMONIA context this furthermore facilitates looking at some asset's (e.g. a sample
mobile telecommunications network or a sample mobile phone architecture) intrinsic properties (leading to vulnerabilities) without knowing too many details about the environment
the asset is operated in.
Qualitative estimation which uses a scale of qualifying attributes (e.g. Low, Medium,
High) to describe the magnitude of each of the contributing factors listed above. [ISO
27005, p. 14] states that qualitative estimation may be used
o
Quantitative estimation which uses a scale with numerical values (rather than the
descriptive scales used in qualitative estimation) for impact and likelihood10, using
data from a variety of sources. [ISO 27005, p. 14] states that "quantitative estimation
in most cases uses historical incident data, providing the advantage that it can be
related directly to the information security objectives and concerns of the
organization. A disadvantage is the lack of such data on new risks or information
security weaknesses. A disadvantage of the quantitative approach may occur where
16
Likelihood
1: < once in 5 yrs
2: < once a year
3: < once a month
4: < once a week
5: > once a week
Vulnerability Factor
1: Extensive controls, threat can only materialize if multiple failures coincide.
2: Multiple Controls, but highly skilled+motivated attacker might overcome
those.
3: Some control(s) in place, but highly skilled+motivated attackers will
overcome those. Overall exposure might play a role.
4: Controls in place but they have limitations. High exposure given and/or
medium skilled attacker required.
5: Maybe controls, but with limitations if at all. High Exposure and/or low skills
required.
11
And so does the example 2 (section E.2.2) of [ISO27005] which can be compared to the
methodology described in this document.
Copyright 2012 ASMONIA consortium. All rights reserved.
17
18
3 Threat Categories
As none of the existing threat classifications was identified to be useful for the purpose of the
present document (see above, section 2.2.2), a definition of generic threats for the assets
within 4G networks was done. This section describes the threats identified and is used as the
baseline throughout the remainder of the present document.
from the Internet or another connected packet data network (PDN), e.g. a
corporate IP network;
Note that the external attacker may be a user only, but may also be an administrator
of an interconnected network.
tampering with easily accessible devices (in particular in RANs, e.g. the
(Home)(e)NB);
19
Insider Attacks
EPS
HSS
PCRF
IMS
MME
Appl.
Server
eNB
L3/L2 based
attacks from transport
networks
S-GW
PDN-GW
Transport Network
Attacks on the
Radio Interface
Mobile
Terminal
Internet /
Other PDNs
Focusing on the above threats means that natural or man-made disasters are out of scope of
this document. Moreover, failure of systems in absence of an attack condition is also out of
scope, e.g. failure due to a memory fault. Note however that software failures typically are
the consequence of some programming error that may also be exploited by a deliberate
attack.
20
Loss of availability:
T1 Flooding an interface
Attacker causes DoS in a network element by sending a flood of packets (overload).
T2 Crashing a network element via a protocol or application implementation flaw
Attacker crashes a network element by sending maliciously crafted packets (exploit of
a flaw in the protocol implementation) or by exploiting a weakness in a user application
on the network element. The consequence is DoS with respect to the functions of the
network element.
Loss of confidentiality:
T3 Eavesdropping
Attacker eavesdrops sensitive data during transit (traffic). This includes gaining
information by analyzing encrypted traffic (e.g. monitoring timing, packet length, traffic
volume etc.) without being able to decrypt it.
T4 Unauthorized access to sensitive data on a network element via leakage
Attacker gets access to sensitive data on the network element by triggering leakage of
such information (e.g. by abusing network protocols or exploiting a flaw in a user
application on the network element).
Loss of integrity:
T5 Traffic modification
Attacker modifies/fakes information during transit and by this causes some unwanted
action (e.g. of the network element receiving the faked information).
T6 Data modification on a network element
Attacker modifies information on a network element or inserts faked information on a
network element (e.g. configuration data) and by this causes some unwanted action
(triggered when the faked information is used somehow).
May be done by abusing network protocols (e.g. unauthenticated TFTP upload) or by
exploiting a flaw in the user application on the network element.
Loss of control (compromise/abuse of network elements)
T7 Compromise of a network element via a protocol or application implementation
flaw
Attacker exploits a flaw in protocol stacks or applications of a network element to gain
full control over the network element and abuses the network element to perform
unwanted actions subsequently.
T8 Compromise of a network element via a management interface
Attacker exploits a weakness in the configuration of the management interfaces (e.g.
weak/default passwords, access to OAM applications via publicly accessible interfaces)
to gain full control over the network element and abuses the network element to
perform unwanted actions subsequently.
21
22
Impact is estimated primarily as the impact on the network from the operators point of view,
which is in many cases also the point of view of the community of network users. An example
for this is the availability of the network, which is essential for the operator as well as the
users. A counterexample is when attackers gain access to services free of charge, which
may heavily impact the operator but doesnt matter to the user community.
For the threats addressing specifically the user-plane (T3.2 and T5.2) the direct impact is on
users, not on the network. For a single user, the impact can be high, although we assume
that highly sensitive user plane data are protected independently (see reasoning in the
closing paragraphs of section 3.2). However, loss of confidentiality or integrity of user plane
traffic has also an impact on the operator, which we estimate as a rule to be in the range
from 1 to 3 according our scale described in section 2.2.5.
Note further that the list of threat categories given above is meant to be a baseline for the
risk assessments for the various assets covered in this document. Where appropriate, these
generic threats are enhanced by asset specific threats in the respective sections of the
document.
In version (I) of this document, also the terminals were assessed applying the above
scheme. However, this has not turned out to be very useful during the further work and
therefore has been abandoned in this version of the document.
23
Radio interface;
Following this method, the present document divides the 4G mobile network into several
parts on the basis of physical network entities and structures the threat analysis accordingly.
The following major parts are distinguished
Terminals
Access network: Radio interface and 3GPP specified entities in radio access
networks like the eNB
Core network: Core network interfaces and 3GPP specified core network entities (in
the MNO domain)
Application servers: Non standardized application servers for OAM, billing and end
user applications
4.1 Terminals
Terminals in a 4G mobile network are a very heterogeneous mass of devices. Even though
individual devices always consist of two core components:
24
http://brew.qualcomm.com
25
26
26 %
Mediatek
24 %
Qualcomm
19 %
Infineon/Intel
11 %
ST-Ericsson
10 %
Broadcom
3%
Freescale
2%
Others
5%
RF Frontend
Analog Baseband
Digital Baseband
For this risk analysis only the digital baseband is considered. The only relevant threat for the
other parts is radio jamming, which cannot be prevented by measures on usual low cost
terminals.
Besides a DSP for signal processing the main component of the digital baseband usually is
an ARM SoC running a small real-time operating system which is responsible for parts of
layer 1 and everything above:
27
Authentication
Confidentiality
Anonymity
4.1.1.3.1 Authentication
In GSM the network authenticates the MS, but the MS does not authenticate the network. A
message flow for the authentication is given in Figure 2. The idea is that the network sends a
128 Bit random number to the MS. The MS is asked to send the response SRES of the A3
algorithm with parameters RAND and Ki back to the network. SRES might be the first 32 bits
of the COMP128 algorithm, which is executed on the SIM.
28
29
30
31
13
14
http://openbsc.osmocom.org/
http://sourceforge.net/projects/ggsn/
32
33
15
http://reflextor.com/trac/a51/
35
16
http://srlabs.de/research/decrypting_gsm/
36
17
https://svn.berlin.ccc.de/projects/airprobe/
http://gnuradio.org/redmine/wiki/gnuradio
19
http://www.wireshark.org/
18
37
20
http://bb.osmocom.org/
38
Mutual authentication
Assurance that authentication information and keys are not being re-used (key
freshness)
Use of stronger encryption by using longer keys and better algorithm design
Termination of the encryption further into the core network to encompass microwave
links
To deliver appropriate network access security the following mechanism are defined
[Xenakis2006]: user identity confidentiality, authentication and key agreement and data
confidentiality. All of them rely on different notation and algorithms then in the GSM
architecture. Additionally UMTS defines integrity protection of signaling messages to avoid
several security risks like the ones described in Section 4.1.1.4.1.
4.1.1.6 Attacks on UMTS
Attacks on network access security are so far not known, and no software has been
published so far for real attacks on the UMTS security infrastructure. In [Kambourakis2010]
Kambourakis et al. explain several possible DoS by exploiting unencrypted and
unauthenticated signaling messages. For their attacks they assume that an attacker holds a
false BTS or a modified MS. An attacker is able to intercept a valid session of others, sniff
and replay packets, analyze traffic and spoof the data of UMTS frames. For more details the
reader is referred to [Kambourakis2010].
A more general discussion of the weaknesses of UMTS and proposals to overcome them is
given in [Xenakis2004]. For example the authors argue that if a TMSI cannot be allocated,
the VLR is free to request the IMSI, which leads in a possible threat to user identity
confidentiality. To overcome this problem, the authors suggest a second temporary identity of
the user, which can be requested in case the TMSI allocation doesnt work. Furthermore it is
stated, that safety measures for the backbone network, like firewalls, arent applicable to
assure for insider threats.
In [Dunkelman2010] Dunkelman, Keller and Shamir present an attack to reduce the 2128
complexity of the Kasumi algorithm. They are able to derive the whole session key by using 4
related keys, 226 data, 230 memory and 232 time, by a technique they call sandwich attack.
The authors also state, that their attack doesnt work with the previous version of the Kasumi
cipher Misty.
However, looking at practical attacks, there are no relevant conceptual flaws known at the
time of writing, except the backward compatibility to GSM. In particular, the possibility to
catch mobile 3G devices with a faked (2G) BTS as described in section 4.1.1.4.1 is relevant,
as these devices are typically configured in a way that they are not restricted to 3G, but can
use also 2G access.
39
21
http://openbts.sourceforge.net/
40
22
http://code.google.com/p/sulley/
41
Whole phones crashed when trying to read certain messages. Sometimes these short
messages could not be deleted anymore.
Mobile devices crashed and rebooted. After the reboot they were unresponsive and
unstable until all messages were deleted.
One phone even crashed on receiving a SMS and was broken afterwards.
Most crashes were triggered using concatenated SMSs, so it seems probable that a
combination of incorrect length fields and different coding schemes lead to memory
corruptions while reassembling messages parts. Another interesting result is that despite the
detailed GSM specification some implementations behave differently regarding aspects like
silent calls, sending of acknowledgements in the SMS delivery and Paging Requests.
42
Security This refers to automated alarm and access control systems available for
cars and buildings that allow notification or control via the GSM network.
Tracking & Tracing of objects or persons. One major application already in use is
fleet management of transport and car rental companies in order to monitor vehicle
movement with the help of GPS. Furthermore a similar approach has been chosen by
certain insurance companies by monitoring their customer's car usage. The collected
data is then being used to calculate charges.
Payment applications via the mobile phone, but also point of sales terminals for
credit or debit card transactions and ATMs.
Health Transmission of monitored vital signs for remote diagnosis. This is also known
as eHealth.
Remote Maintenance & Control of objects such as sensors, vending machines and
vehicle diagnostics as well as lighting, pumps and valves in industrial applications.
Metering Smart metering (e.g. power, gas, and water) for accounting purposes or
building management in the energy industry.
Not every application is easy to classify, such as the EBuLa (Elektronischer Buchfahrplan
und Langsamfahrstellen) system of the Deutsche Bahn, which provides a terminal in the
trains with the necessary information for the locomotive driver on the current track.
Depending on the nature of data transmitted security topics have to be taken into account.
Particularly in health applications sensitive data has to be asserted not to be eavesdropped,
Copyright 2012 ASMONIA consortium. All rights reserved.
43
Audio: In feature phones (and most smart phones) the routing of the audio interfaces
like earpiece, microphone and speaker can be controlled by the baseband processor.
This can be abused for example with a firmware which was unrecognized modified by
an attacker. The phone could then for example be advised remotely via SMS to turn
on the microphone to eavesdrop a conversation. Flaws in the GSM protocol or its
implementation on the baseband processor are starting points in order to realize such
an attack.
23
http://ec.europa.eu/ecall
http://www.bmw.com/connecteddrive
25
http://www.volvocars.com/uk/campaigns/misc/oncall/Pages/Overview.aspx
26
http://www.onstarmobiledemo.com/
24
44
USB: Many phones today have a USB port (or serial port in the past) over which they
can be connected to a PC and be used as a terminal adapter to for example establish
a data connection or remote control the phone in another way. This is done mostly via
the AT commands set. Another common functionality via the USB port is the
synchronization of calendar, contacts and media files. This can be exploited to realize
attacks in both directions. As depicted in [Wang2010] the capability of connecting a
mobile phone via USB turns into vulnerability due to the reason that there is no
authentication involved. Security is just being assumed, since physical access to the
device is necessary.
Two classes of attacks from a compromised mobile phone to a computer are being
proposed. The first class is the mobile terminal acting as a HID (Human Interface
Device) and therefore being recognized as a USB keyboard or mouse device. This
can be used to send predefined input commands and thereby harming the connected
computer as if the user had typed the malicious commands by himself. The second
class makes use of the possibility to connect the phone as a mass-storage device
providing malicious content, e.g. PDF or JPG files exploiting vulnerabilities in system
software. Hereby a mobile phone poses a higher threat than a usual USB stick for its
computational power. By looking at the USB Requesting Block ID (URB) in the USB
packets the attacking terminal can identify the computers operating system, which
allows more well-directed attacks resulting in a higher success rate.
There is a wide variety of possible attacks from computers to mobile terminals, as the
USB interface often provides powerful possibilities. In general it is very easy for an
adversary to gain information of all kind from the phone when having managed to
gain access, for there is no authentication required. Furthermore a possible threat is
imposed by a malicious firmware that may be flashed onto the phones memory.
JTAG: Some phones expose a JTAG port (Joint Test Action Group) which is
standardized in IEEE 1149.1. The JTAG port provides low-level access to the
hardware for example for debugging or boundary scan testing and is therefore usually
not meant to be used by the end user. Consequentially in most phones the port is not
accessible at all or only accessible by means of opening the phones body or
modifying the hardware in other ways. Though if an attacker succeeds in doing so, he
has a powerful tool at his disposal which can possibly be used to figure out
vulnerabilities.
The security threat the JTAG interface is prone to depends on the implementation
that has been chosen by the device developer. The more access is being intended for
development purposes the bigger is the threat that results from leaving the interface
intact in the final product. If unsecured it offers possibilities for a thorough analysis
and intrusion into the system. Since there is often no documentation provided on
possibly available JTAG interfaces on a circuit board [Breeuwsma2006] describes an
approach to finding test pads by measuring pins on the board that might be leftover
from JTAG interfaces only intended for use in the development process. Moreover
there exist tools, e.g. JTAGEnum 27 or JTAGFinder 28 , allowing a similar approach
using low-budget hardware. After having reverse engineered the interface it can be
possible to forensically extract the content held by flash memory connected to the
probed component as it is. On one hand this might enable reconstruction of data that
has been deleted from the phones file system as long as it is not yet overwritten. On
27
28
http://deadhacker.com/tools/
http://www.elinux.org/JTAG_Finder
45
SD Card: The SD card is a common way to enlarge the memory space of a phone
e.g. for multimedia content like photos or music, but also for contact data and other
stuff. The card is mounted as external storage device when the phone is connected to
a PC. This fact can be exploited in a Phone-To-Host attack like explained in
[Wang2010].
29
http://www.nruns.com/security_tools_btcrack.php
46
In addition the term bluejacking describes the act of arbitrarily sending content to
mobile phones in discoverable mode. This is not exploitation of vulnerability per se,
but flooding devices has a high chance of resulting in success, if a subject accepts
the request without concern or by mistake and afterwards executes the malicious
program.
30
WLAN: Some feature phones (and especially smart phones) have a wireless LAN
interface, which can be used to connect to a WLAN network, for example to gain
access to the internet. This brings up some security concerns as denoted in
[Welch2003]. Aside from a denial of service attack by jamming the WLAN signal the
simplest form of an attack would be eavesdropping an unencrypted or WEP
http://trifinite.org/trifinite_stuff.html
47
NFC: Some newer feature phones contain a Near Field Communication (NFC)
interface for exchanging data with other devices over small distances actively or
passively like a smart card. It is an RFID technology and primary use cases are for
example mobile payment, out-of-band device pairing for other connections such as
Bluetooth and information gathering from smart posters. Several NFC related attacks
are listed below.
In [Haselsteiner2006] the authors highlight several threats that are inherent to NFC
technology. As communication takes place over radio frequency waves these can
ordinarily be eavesdropped with an antenna from within a distance of 1 to 10 meters
depending on the communication mode of the phone and environmental
circumstances. Another threat would be jamming the radio signal in order to corrupt
the data being transferred, which would result in a typical DoS attack. Physical data
modification on transferred bits is theoretically possible according to the signal
transmission encoding that is being used. Moreover the possibility of data insertion is
proposed. This may be done with the condition that the inserted answer to an NFC
message has already finished being transmitted, since an overlap with the real
answer would lead to corrupt data.
Further threats are allocated in [Madlmayr2008]. Firstly a DoS attack can be launched
since every touch of a mobile terminal with an NFC tag causes a reaction, so that
even with an empty tag that just provokes an error message the phone may be
occupied. In [Mulliner2009] it has also been achieved to crash a phone reading a tag
that provided fuzzed information.
Secondly it is being pointed out that the standard is not secure against relay attacks
that cannot be recognized by the devices involved. Therefore immediate proximity of
these devices is not guaranteed. In [Francis2010] such an attack is demonstrated
48
49
50
Capabilities are implicitly granted by the user at the time of installation. This will
effectively grant the applications the rights to access all the functionality specified for
the time it remains on the device. (Android)
Granting capability through external (trusted) entities. Instead of involving the user, an
external entity verifies the different capabilities used by the application. This typically
involves some form of review. After the review process is passed, the capabilities
document will be secured by the external party. This typically involves the external
party digitally signing the document. These external parties will most likely be
operating a distribution hub such as an App market. (Symbian, Apple)
The particular capabilities can vary in their granularity. For example the Android OS allows
specifying read/write control to the SD card, but not a general restriction to certain directories
on the SD card. Somewhat similar to the concepts of capabilities, application level access
controls are decided during development of the application. Upon installation of the
application, the necessary access controls to run the application may be presented to the
users for confirmation. Deciding the level of granularity to be used is a trade-off between
security and not overstraining the user with complex decisions.
4.1.2.3.1.2 Remote Device Activation
To control the device usage, some vendors require the activation of the device via a remote
server. This is typically used when the vendor is also controlling the application distribution. It
allows to link the device to the user. This can later be used to control the data of the user,
and also allow the remote deactivation.
4.1.2.3.1.3 Remote Device Wiping & Deactivation
Remote wiping and deactivation techniques are useful in several cases.
Stolen devices
Infected devices
Malicious device
The motivation for the vendor of the devices is obvious. He wants to control which data can
reside on the device and which services can be used. Network operators are more interested
in deactivating malicious devices that may attack the network infrastructure. Stolen or
infected devices are more of concern to the owner/user. Remotely wiping the device can be
useful if direct disinfection does not work. Also, in case of the device being stolen, the user
can wipe the device without fearing his data to be disclosed.
4.1.2.3.1.4 Code Signing
Code signing is used to be able to confirm who has released a program or an app. The user
still has to make his own decision whether to install the code or not. Additionally, code
signing enables to check whether the code has been altered or corrupted since applying the
signature. Signing is typically done by using digital signatures which are based on
cryptographic hash mechanisms. The security of the signature scheme is the basis for the
security of the code signing mechanisms. Every security issue related to digital signature is
therefore also relevant when applying them to code.
Whether the trust imposed on the code is backed up by a trustworthy certification authority
depends on the use case. There can also be solutions in which the code is signed based on
self-signed certificates. These solutions may be able to protect against corruption and
alteration of the code, but they do not necessarily provide means to trust the author of the
code in question. This would have to be decided by the user that installs or runs the code on
his device.
51
52
53
Capabilities (basic, extended, full) which force the applications to declare which
resources it will use.
Data Caging based on file system access rights and process user ids
4.1.2.3.3 Android
The development of the Android OS has primarily been driven by Google. Its goal is to
provide an Open Source smart phone operating system allowing many different hardware
vendors to use it on their devices. Its core component is the Linux Kernel based on version
2.6. It has first been released in 1Q2009 and its current version is 2.3 which is based on the
2.6.35.7 Linux kernel. Just as the iOS for the Apple iPhone, Android offers the possibility to
install 3rd party applications via the Android Market which is similar to the Apple App
Store. Applications do not run natively, but rather use the Dalvik virtual machine
[Bornstein2008] as a runtime sandboxing layer. The core OS is protected from the
applications, as well as applications from each other.
Applications can either directly be installed from the market, or manually by downloading
them onto the device. Untrusted applications i.e., ones without a signature (by using the help
of self-signed cert) cannot be installed on the device by default. However, this can easily be
changed.
The figure below gives a general overview of the Android architecture. The lower level is
represented by the Linux kernel. On top of that we have the necessary system libraries to
interact with the kernel and the Android runtime, which consists of a set of core libraries (to
interface with the native system) and the Dalvik virtual machine. On top of that we have the
actual programming API accessible to application programmers.
54
55
56
Figure 14: Starting the Google Maps app with predefined coordinates
4.1.2.3.3.3.5 Broadcast Receivers
The third type of intents are broadcast intents. Initiated by the system, implicit broadcast
intents are sent to notify applications of certain events like an incoming phone call or SMS, a
time zone change or an almost-drained battery. Broadcast receivers are application
components that listen to these intents and handle them. Common actions reach from the
launch of a new activity to changing an entry in the persistent storage. Broadcast receivers
do not come with a UI.
4.1.2.3.3.3.6 AndroidManifest.xml
Information about inter process communication is included in the AndroidManifest.xml file. In
this file, every component of the application must be defined, intent filters describe which
intents this application wants to handle and every permission the application needs can be
found. As soon as any kind of intent is fired, the system searches all installed applications for
a matching intent filter.
4.1.2.3.3.4 Dalvik Virtual Machine
The Dalvik Virtual Machine is the heart of the Android runtime. In the layer model, it resides
on the second level next to the core libraries. It was developed by Google employee Dan
Bornstein since 2005. It bases on the Java Virtual Machine Apache Harmony (which is the
open source variant of the Java VM), yet there are major differences.
The main difference between the two virtual machines is the architecture, which results in
different byte code for the two machines. Dalvik follows the register machine model to
generate its dexcode, whereas the JVM uses a stack-based architecture, akin to a
microprocessor.
For both virtual machine types, the programming language is Java and both use the javac
compiler to build .class files from the source code. When compiling for Dalvik, the resulting
class files are packaged into one single classes.dex file which eventually contains the Dalvik
57
59
60
61
63
64
Chain of trust in boot process in order to detect low level integrity violations as early
as possible
65
66
67
http://blogs.cio.com/iphone/16612/iphone-dev-sneaks-malware-apple-app-store-feels-swift-wrathcupertino
32
http://www.fsf.org/blogs/licensing/vlc-enforcement
Copyright 2012 ASMONIA consortium. All rights reserved.
69
70
71
72
73
74
Chipset security at OS level provides tamper resistant secure services similar to TPM
Data caging for process based on file system access rights (possibly encrypted)
4.1.2.4 Comparison of the Security Features of the Most Popular Operating Systems
for Current Smart Phones: Android, iOS and Windows Phone 7
This section covers a comparison of the to date most popular smart phone operating
systems, Android, iOS, and Windows Phone 7. It discusses the different security features of
each smart phone operating system.
4.1.2.4.1 Hardware Features
All three platforms are currently based on the ARM architecture. The processor features
protection mechanisms that are hardware-supported. One example is the TrustZone of
ARMv6KZ and newer architectures (Cortex-A series and ARM1167 processors). It provides
Copyright 2012 ASMONIA consortium. All rights reserved.
75
76
77
79
81
82
83
84
Android
iOS
Windows Phone 7
Sandboxing
Memory Protection
--
Code Signing
++
Service Connection
++
++
++
(Application) Copy
Protection
++
Application Shop
Security
--
++
++
Permission Model
--
85
86
87
89
90
91
UE
SAE-GW
MME
S1
S1
Uu
eNB
eNB
X2
93
User Plane
Radio
Network
Layer
Control Plane
Radio
Network
Layer
S1-AP
GTP-U
SCTP
UDP
Transport
Network
Layer
IP
Data link layer
Physical layer
Transport
Network
Layer
IP
Data link layer
Physical layer
Figure 23: IP-based Protocol Stack on the S1-U and S1-MME Interfaces (Source:
[3GPP_TS36410])
The logical point-to-point interface X2 between eNBs is mainly used to support fast
handovers between eNBs. This is achieved by allowing two eNBs connected via an X2
interface to exchange signaling messages to prepare a handover of a UE between them.
Another handover type (the S1-handover) makes use of the S1 interface and involves the
MME in the handover preparation. This type of handover procedure is more time intensive
due to the higher signaling overhead via the MME. The protocol stack supported on the X2
interface between two eNBs is IP-based and is identical to the protocol stack on the S1
interface illustrated above, except that the S1-AP is replaced by the X2 application protocol
X2-AP. We therefore refrain from providing a separate figure illustrating the X2 protocol
stack.
94
eNodeB
MME
S1 Setup
sport
NAS Tran
Downlink tion Request
rma
ESM Info
Uplink NA
S Transpo
ESM Info
rt
rmation R
esponse
Request
dge
Acknowle
Request
p
tu
Se
S1
Configura
est
tion Requ
Configura
tion Requ
est
sport
NAS Tran
Downlink
st
e
u
q
e
R
Identitity
Initial Con
text Setu
p
Uplink NA
S Tra
Attach Co nsport
mplete
Uplink NA
S Transpo
rt
Identity R
esponse
sport
NAS Tran st
Downlink
ue
q
e
R
n
o
cati
Authenti
Uplink NA
S
Authentica Transport
tion Resp
onse
...
S1-AP messages
Uplink NA
S Transpo
rt
Detach R
equest
sport
NAS Tran nd
Downlink
ma
m
o
C
ode
Security M
mmand
elease Co
Context R
Uplink NA
S
Security M Transport
ode Comp
lete
Context R
elease Co
mp
lete
In the following, the basic packet structure of S1-AP (and equivalent X2-AP) is explained.
Both, S1-AP and X2-AP packet header, consist of some general fields, like message type,
packet length and count of items, but also of QoS parameters like criticality. Furthermore, the
following table describes the setup of the item fields, which are used to transport the
contained information.
Field
Description
Message Type
Length
Count of Items
Item 1
Item 2
...
EPS Mobility Management (EMM) procedures are used for control of mobility, if the UE is
using the E-UTRAN, and provides mechanisms for tracking and authenticating the UE
towards the core network (especially the MME).That means requesting and delivery of
identification and authentication data from UE, but also the delivery of UE capability
information to the network. Another feature is the information of UE about specific services
active in the network. EPS Session Management (ESM) procedures are used to handle EPS
bearer contexts and to control the user plane bearers connecting the UE with a PDN.
Therefore, it manages the bearers by establishment, modification and deactivation functions.
In regular context, the procedures are initiated by MME, but the UE may also request the
network to modify the bearer resource.
EPS Mobility Management (EMM)
EMM messages consists of a security header, a protocol discriminator (value 0111 for EPS
mobility management messages), a message type and the related information elements. If
96
Its meant to provide the exchange of overload and traffic load information of two
eNodeBs.
97
Message
Echo Request
Echo Response
26
Error Indication
31
254
End Marker
255
G-PDU
An important entry in the GTP-U (and also GTP-C) header is the TEID, which defines the
target endpoint within a tunnel. As example, in direction from eNodeB to PDN-GW, the TEID
includes the identifier for the PDN-GW, and in direction from PDN-GW to eNodeB, the TEIDU includes the identifier for the eNodeB. The TEID always will be unique. Including random
numbers rather than predictable numbers into the TEID may provide some protection against
attackers that have access to an interface where GTP is used and try to guess a TEID as
part of their attack.
98
99
Description
Reset
33
www.asmonia.de
100
S1 Setup Request
Handover Required
Description
E-RAB Release
UE Context Release
Handover Request
101
Overload Start
102
34
See http://bb.osmocom.org/trac/
103
104
105
T1a
T1b
T2
T3.1a
T3.1b
T3.2a
T3.2b
T4
T5.1a
T5.1b
T5.2a
T5.2b
T6
T7
T8
T9
T10
Threats
Flooding the radio interface
Flooding the backhaul interface
Crashing a network element
Eavesdropping radio interface
(control-plane)
Eavesdropping backhaul
interface (control-plane)
Eavesdropping radio interface
(user-plane)
Eavesdropping backhaul
interface (user-plane)
Unauthorized data access
Traffic modification radio
interface (control-plane)
Traffic modification backhaul
interface (control-plane)
Traffic modification radio
interface (user-plane)
Traffic modification backhaul
interface (user-plane)
Data modification
Compromise via
implementation flaw
Compromise via
management interface
Malicious insider
Theft of service
Likelihood
3
2
2 - 3
Vul.
Factor
5
2
3
24
24
1 - 3
- 24
3
2
2
2
1 - 3
4
- 18
16
24
20
1 - 3
- 18
2
2
2
2
1 - 3
4
- 12
16
30
3
1
2
2
4
2
5
5
5
30
20
20
Impact
Risk
2
30
2
8
2 12 - 18
106
T1
T2
T3.1
T3.2
T4
T5.1
T5.2
T6
T7
T8
T9
T10
Threats
Flooding an interface
Crashing a network element
Eavesdropping (control-plane)
Eavesdropping (user-plane)
Unauthorized data access
Traffic modification (c-plane)
Traffic modification (u-plane)
Data modification
Compromise via
implementation flaw
Compromise via
management interface
Malicious insider
Theft of service
Likelihood
2
2
3
3
3
4
2
3
3
2
Vulnerab.
Factor
5
3
2
2
2
2
2
2
Impact
2
2
4
1 - 3
4
4
1 - 3
4
30
18
24
6 - 24
16
16 - 24
4 - 18
16
30
3
1
2
2
4
2
5
5
5
30
20
20
Risk
Table 4: Risk Assessment for the eNB with aggregated view of interfaces
107
108
109
Theft of service
Similar to the eNB, the RN is not very involved in charging, but with a compromised RN, the
attacker may impersonate other subscribers or otherwise sent traffic that evades charging.
The RN is somewhat more vulnerable against compromise, and thus also against theft of
service.
The following table summarizes our results:
T1
T2
T3.1
T3.2
T4
T5.1
T5.2
T6
T7
T8
T9
T10
Threats
Flooding an interface
Crashing a network element
Eavesdropping (control-plane)
Eavesdropping (user-plane)
Unauthorized data access
Traffic modification (c-plane)
Traffic modification (u-plane)
Data modification
Compromise via
implementation flaw
Compromise via
management interface
Malicious insider
Theft of service
Likelihood
3
3
2
2
3
3
4
4
3
3
3
3
Vulnerab.
Factor
Impact
5
2
3
2
2 3 - 4
2
1 - 3
3
4
2
4
2
1 - 3
3
4
Risk
18 6 16 4 -
30
18
32
24
36
24
18
36
45
3
1
2
2
4
3
5
5
5
30
20
30
L-GW
UE
H(e)NB
insecure link
SeGW
AAA
Server/HSS
H(e)NB-GW
H(e)MS
H(e)MS
111
A mandatory device authentication between the H(e)NB and the SeGW using IKEv2
based on public key certificates. This requires suitable certificates to be provisioned
at the H(e)NB, or alternatively, enrolment of such certificates via an H(e)MS outside
the operator network. It is not mandatory, but strongly recommended to support the
OCSP protocol in the H(e)NB to allow checking the revocation status of the SeGW
certificate. The SeGW on the other hand may support OCSP or CRL checking or both
to check the revocation status of certificates.
The device authentication between H(e)NB and SeGW based on IKEv2 is used to establish
an IPsec tunnel (using ESP in tunnel mode) between the H(e)NB and the SeGW. Note that
IPsec is not mandatory to use but may be replaced by mechanisms providing equivalent
security.
The SeGW may perform access control for H(e)NBs, e.g. it may blacklist or whitelist H(e)NBs
for the access to the core network.
Usage of a given H(e)NB may be restricted to a limited set of mobile subscribers, either
specified by a Closed Subscriber Group (CSG) or by an access control list (for the HNB
only).
If the H(e)MS is located in the operators core network, then it resides behind the SeGW and
the connection between the H(e)NB and the H(e)MS is protected with the help of the IPsec
tunnel between H(e)NB and the SeGW. If the H(e)MS is connected to the Internet directly, all
communication between H(e)NB and H(e)MS must be protected by a mutually authenticated
TLS connection based on certificates. The necessary certificates must be provisioned at the
H(e)NB in this case.
Due to national regulations on spectrum usage, a H(e)NB must only be used at allowed
locations. To verify this, 3GPP has specified a number of different methods which are all
optional, although at least one of them must be applied. Note however, that all these
methods can be overcome by motivated attackers, i.e. such attackers may be able to operate
H(e)NBs at arbitrary locations (and possibly abuse them to attack mobile device at these
locations).
113
114
115
Theft of service
Similar to the eNB, the HeNB is not very involved in charging, but with a compromised
HeNB, the attacker can impersonate other subscribers or may otherwise send traffic that
evades charging. The HeNB is somewhat more vulnerable against compromise, and thus
also against theft of service. The scope and therefore the impact of the attack may however
be more limited.
The following table summarizes our results:
T1
T2
T3.1
T3.2
T4
T5.1
T5.2
T6
T7
T8
T9
T10
Threats
Flooding an interface
Crashing a network element
Eavesdropping (control-plane)
Eavesdropping (user-plane)
Unauthorized data access
Traffic modification (c-plane)
Traffic modification (u-plane)
Data modification
Compromise via
implementation flaw
Compromise via
management interface
Malicious insider
Theft of service
Likelihood
2
2
3
3
4
3
3
4
Vulnerab
. Factor
5
4
3
3
4
3
3
4
Impact
1
1
3
1 - 3
3
4
1 - 3
3
Risk
10
8
27
9 - 27
48
36
9 - 27
48
64
4
1
2
4
4
4
4
4
4
64
16
32
117
S1-U
S1-U
S1MME
S1MME
HeNB
HeNB
GW
X2
S1MME
HeNB
S1MME
EPC
SeGW
S1-U
S1-U
HeNB
Mgmt
System
119
T1
T2
T3.1
T3.2
T4
T5.1
T5.2
T6
T7
T8
T9
T10
Threats
Flooding an interface
Crashing a network element
Eavesdropping (control-plane)
Eavesdropping (user-plane)
Unauthorized data access
Traffic modification (c-plane)
Traffic modification (u-plane)
Data modification
Compromise via
implementation flaw
Compromise via
management interface
Malicious insider
Theft of service
Likelihood
2 - 3
2 - 3
2
2
2
1
1
1
Vulnerab
. Factor
2
2
1
1
1
1
1
1
Impact
4
4
4
1 - 3
4
4
1 - 3
4
Risk
16 - 24
16 - 24
8
2 - 6
8
4
1 - 3
4
20
3
4
1
5
5
5
20 - 30
20 - 40
5
2
2
1
120
Core Network
Circuit Switched
Network
(PSTN, ISDN)
3G CS domain
Radio
Access
Networks
Subscriber
Management
VoIP Network
(other PLMN or
fixed network)
Charging
Packet Core:
IP Multimedia
Subsystem
External IP
Network
(Corporate
Network,
Internet)
121
122
Termination of user plane tunnels towards UEs (includes tunnel control, e.g. protocols
to set up or tear down tunnels):
GTP-u (i.e. user plane only) at S1-U interface to eNBs and S12 interface to
UTRAN RNC or UTRAN NodeB with RNC function
Switching of user plane tunnels as a Serving-GW only (GTP-U or PMIP over the S8
interface to the PDN-GW function in another SAE-GW, Serving-GW is Mobile Access
Gateway in PMIP)
Interconnection and IP forwarding between user plane tunnels to UEs and IP service
networks, including MNO internal networks (e.g. an IMS core network) and external
networks like corporate networks or the Internet.
o
DHCP relay agent using DHCP to communicate with DHCP servers in IP service
networks and DHCP clients in UEs
Policy and Charging Enforcement Function (PCEF), controlled by the Policy and
Charging Rules Function (PCRF) using Diameter over the Gx or Gxc interface.
OAM functions (like SSH server, (S)FTP client/server, HTTP(S) server, SNMP
instance, or proprietary OAM functions) using respective standardized or proprietary
protocols to communicate with various components of an operation and maintenance
center, like element managers, backup&restore servers, logging servers etc.)
The SAE-GW typically communicates with network elements in external networks, e.g.
SGSNs, SAE-GWs or ePDGs in other PLMNs, (e)NBs or RNCs in LTE or UMTS radio
access networks (that may belong to different organizations, e.g. in the case of RAN
123
125
Threats
T1
Flooding an interface
T2
Crashing a network element
T3.1 Eavesdropping (control
plane)
T3.2 Eavesdropping (user plane)
T4
Unauthorized data access
T5.1 Traffic modification (c-plane)
T5.2 Traffic modification (u-plane)
T6
Data modification on a
network element
T7
Compromise via
implementation flaw
T8
Compromise via
management interface
T9
Malicious insider
T10 Theft of service
Vulnerab.
Likelihood
Factor
4
2
4
3
Impact
5
4
40
48
2
2
3
1
1
1
2
1
1
2
10
45
4
4
3
5
5
5
3
2
3
2
2
2
3
3
2
5
3
Risk
30
10
30
6
12
6
5
6
60
40
45
Termination of NAS (non access stratum) signaling with mobile terminals (includes
authentication and key agreement). NAS signaling is transported using S1-AP over
SCTP. It is protected by keys that the MME derives from a key received from the HSS
(see below).
Communication with eNBs at the S1-MME interface using S1-AP over SCTP
(includes transport of the key KeNB to the eNB; KeNB is derived by the MME and used
by the eNB to derive keys for radio interface protection).
Communication with other MMEs, SGSNs and the SAE-Gateway using GTP-C.
Communication with the HSS and EIR to retrieve subscriber and terminal information.
In particular the HSS passes authentication information as well as a key that is used
127
Communication with the CBC to support cell broadcast (e.g. of location service
information) using SBc-AP over SCTP/IP.
For SRVCC (single radio voice call continuity), the MME interworks with components
of the CS domain (GTP towards the MSC-Server and SGs-AP over SCTP towards
the MSC/VLR).
For interworking with CDMA2000 networks, the MME communicates with the HRPD
network using S101-AP over UDP, and tunnels messages between the UE and the
CS IWS.
to
support
location
services,
using
Other MME functions include OAM functions like at the SAE-GW, and Lawful Interception for
signaling traffic (receiving interception requests and transporting interception related
information towards the law enforcement agencies' monitoring centers).
The MME communicates with network elements in external networks, in particular with HSSs
in other PLMNs in roaming scenarios, but also with (e)NBs in LTE or UMTS radio access
networks (that may belong to different organizations, e.g. in the case of RAN sharing),
components in CDMA2000 networks, or external monitoring centers for lawful interception.
Like the SAE-GW, the MME may communicate with various remote communication peers
over backbones that are owned by 3.partys, and communicates with the eNBs, which have a
somewhat higher likelihood of being compromised by physical attacks, as they are in
contrast to the MME itself - deployed in locations where there is not much physical
protection.
Threat and Risk Assessment for the MME
The MME has many interfaces but no user plane interfaces. It is connected to various
different network elements, but mostly, these are internal network elements, so external
attackers have few possibilities to attack. There is one notable exception: The MME
communicates with mobile terminals (NAS signaling), so hostile terminals may try to attack
the MME via this communication, i.e. by sending malformed signaling messages or floods of
signaling messages. However, MME-products are expected to implement this sensitive
protocol in a very sound way.
On the backhauling interfaces, 3GPP mandates the usage of IPsec integrity protection and
encryption, unless the link is otherwise sufficiently protected. On external interfaces (e.g.
towards a HSS within another network), IPsec integrity protection is mandated. It is assumed
that most operators follow these recommendations.
An MME should comprise sound overload control mechanisms; moreover, MMEs may be
pooled and share the signaling load for each area of the network. Still, the impact of a failure
of an MME may be quite significant, as a considerable part of the signaling capacity of the
network is lost during such a failure.
The impact of compromising an MME is high. The MME, as a central control component, can
cause a lot of damage when acting maliciously. One specific abuse would be to get
subscriber keying material from the HSS.
128
The following table shows the assessment resulting from the above considerations.
Threats
Flooding an interface
Crashing a network element
Eavesdropping
Unauthorized data access
Traffic modification
Data modification on a
network element
T7 Compromise via
implementation flaw
T8 Compromise via
management interface
T9 Malicious insider
T10 Theft of service
T1
T2
T3
T4
T5
T6
Likelihood
2
2
2
2
1
Vulnerab.
Factor
2
2
1
1
1
Impact
3
3
4
4
4
20
3
4
1
5
5
5
2
2
2
2
2
Risk
12
12
8
8
4
20
10
30
40
10
4.3.1.3 SGSN
The following picture shows the SGSN as part of the EPC.
129
T1
T2
T3.1
T3.2
T4
T5.1
T5.2
T6
T7
T8
T9
T10
Threats
Flooding an interface
Crashing a network element
Eavesdropping (control plane)
Eavesdropping (user plane)
Unauthorized data access
Traffic modification (c-plane)
Traffic modification (u-plane)
Data modification on a
network element
Compromise via
implementation flaw
Compromise via management
interface
Malicious insider
Theft of service
Likelihood
2
2
2
2
2
1
1
1 -
Vulnerab.
Factor
2
2
1
1
1
1
1
Impact
4
4
4
1 - 3
4
4
1 - 3
Risk
16
16
8
6
8
4
3
20
3
4
2
5
5
5
2
2
2
2 2 -
20
10
30
40
20
4.3.1.4 ePDG
The following picture shows the embedding of the ePDG into the 4G mobile network.
131
132
T1
T2
T3.1
T3.2
T4
T5.1
T5.2
T6
T7
T8
T9
T10
Threats
Flooding an interface
Crashing a network element
Eavesdropping (control
plane)
Eavesdropping (user plane)
Unauthorized data access
Traffic modification (c-plane)
Traffic modification (u-plane)
Data modification on a
network element
Compromise via
implementation flaw
Compromise via
management interface
Malicious insider
Theft of service
Vulnerab.
Likelihood
Factor
4
3
4
2
Impact
4
4
48
32
2
2
3
1
1
1
2
1
1
2
10
30
4
4
1
5
5
5
3
2
1
2
2
3
3
3
4
3
Risk
30
10
6
12
9
4
6
60
40
5
133
Threats
T1 Flooding an interface
T2 Crashing a network element
T3 Eavesdropping
T4 Unauthorized data access
T5 Traffic modification
T6 Data modification on a
network element
T7 Compromise via
implementation flaw
T8 Compromise via
management interface
T9 Malicious insider
T10 Theft of service
Likelihood
1
1
2
2
1
Vulnerab.
Factor
2
2
1
1
1
Impact
4
3
4
4
3
10
3
4
1
5
5
5
2
2
2
2
2
Risk
8
6
8
8
3
20
10
30
40
10
134
135
Threats
T1 Flooding an interface
T2 Crashing a network element
T3 Eavesdropping
T4 Unauthorized data access
T5 Traffic modification
T6 Data modification on a
network element
T7 Compromise via
implementation flaw
T8 Compromise via
management interface
T9 Malicious insider
T10 Theft of service
Likelihood
1
1
2
2
1
Vulnerab.
Factor
2
2
2
1
2
Impact
5
5
5
5
5
10
3
4
1
5
5
5
2
2
1
2
2
Risk
10
10
20
10
10
20
10
30
40
5
136
Threats
T1 Flooding an interface
T2 Crashing a network element
T3 Eavesdropping
T4 Unauthorized data access
T5 Traffic modification
T6 Data modification on a
network element
T7 Compromise via
implementation flaw
T8 Compromise via
management interface
T9 Malicious insider
T10 Theft of service
Likelihood
1
1
2
2
1
Vulnerab.
Factor
2
2
2
1
2
Impact
4
4
3
3
4
10
3
4
1
5
5
5
2
2
1
2
2
Risk
8
8
12
6
8
20
10
30
40
5
137
RADIUS client
DHCP relay agent (or DHCP client requesting IP addresses on behalf of mobile
terminals)
Lawful Interception
In contrast to the SAE-GW, the GGSN does not provide functions to support access and
mobility via non-3GPP access networks.
Threat and Risk Assessment for the GGSN
The GGSN can be considered as a subset of the SAE-GW. Because it has fewer functions
and supports fewer protocols, for some threats the vulnerability factor is somewhat lower as
for the SAE-GW. However, in many cases, the vulnerability of the SAE-GW is already very
low, so no difference can be made for the GGSN. Likelihood and impact are generally taken
over from the SAE-GW assessment.
This leads to the assessment shown in the table below.
T1
T2
T3.1
T3.2
T4
T5.1
T5.2
T6
T7
T8
T9
T10
Threats
Flooding an interface
Crashing a network element
Eavesdropping (control
plane)
Eavesdropping (user plane)
Unauthorized data access
Traffic modification (c-plane)
Traffic modification (u-plane)
Data modification on a
network element
Compromise via
implementation flaw
Compromise via
management interface
Malicious insider
Theft of service
Vulnerab.
Likelihood
Factor
4
2
4
2
Impact
5
4
40
32
2
2
3
1
1
1
2
1
1
2
10
30
4
4
3
5
5
5
3
2
3
2
2
2
3
3
2
5
3
Risk
30
10
30
6
12
6
5
6
60
40
45
138
139
35
140
GTPv1-C
GTPv2-C
AfriNIC
26
11
APNIC
81
97
ARIN
52
45
LACNIC
22
10
RIPE
129
94
Summary
310
257
GTPv1-U
GTPv2-U
AfriNIC
13809
13761
APNIC
585733
584156
ARIN
18348
18235
LACNIC
907736
907618
RIPE
1428574
1427899
Summary
2954200
2951669
141
Mandatory: The APN Network Identifier which defines to which external network the
GGSN is connected to.
Optional: The APN Operator Identifier that defines in which PLMN GPRS backbone
the GGSN is located.
36
142
PLMN
HLR
EIR
RAN
MSS
CS Core
IMS
MGW
BSC
MGW
MGW
RNC
CSCF
MSS
Softswitch
Mobile
Station
MGW
External VoIP
Network
PSTN/ ISDN
IP
TDM/ATM
2G/3G RANs
other MSC-Servers
While SS7 may be transported using TDM or ATM, only transport over IP (SIGTRAN) is in
the focus of this document. CS-signaling between mobile terminals and the MSC-S is not IP
based and therefore out of the focus of this document.
The MSS may communicate with the MME of the EPC, as described in 4.3.1.2.
There can also be exchange of signaling traffic between the CS domain and an IMS. This
signaling traffic is based on SIP. SIP may also be used for signaling between MSC-Servers,
replacing the SIGTRAN/SS7 protocol stack.
Signaling traffic can be exchanged between control planes of different operator networks to
create circuits interconnecting terminals in different operator networks.
The user plane of the CS domain is handled by the CS-MGW. In a typical deployment,
access networks may be physically connected only to the MGW, but not to control plane
components in this case, the MGW "backhauls" the signaling traffic to the MSC-S. On the
core network side, the MGW transports user plane traffic towards other MGWs, e.g. a MGW
serving as a gateway to another network. MGWs are also used for interconnecting to the
PSTN/ISDN, or to SIP based VoIP or multimedia networks, like an IMS. MGWs may perform
certain forms of user traffic processing, like transcoding and provide additional services like
announcements.
Copyright 2012 ASMONIA consortium. All rights reserved.
143
144
T1
T2
T3.1
T3.2
T4
T5.1
T5.2
T6
T7
T8
T9
T10
Threats
Flooding an interface
Crashing a network element
Eavesdropping (control
plane)
Eavesdropping (user plane)
Unauthorized data access
Traffic modification (c-plane)
Traffic modification (u-plane)
Data modification on a
network element
Compromise via
implementation flaw
Compromise via
management interface
Malicious insider
Theft of service
Vulnerab.
Likelihood
Factor
2
2
2
2
Impact
4
4
16
16
2
2
1
1
1
2
2
1
2
2
30
4
4
2
5
5
5
2
2
2
2
2
3
3
2
5
3
Risk
20
10
12
12
2
10
6
40
40
20
145
146
T1
T2
T3.1
T3.2
T4
T5.1
T5.2
T6
T7
T8
T9
T10
Threats
Flooding an interface
Crashing a network element
Eavesdropping (control
plane)
Eavesdropping (media plane)
Unauthorized data access
Traffic modification (c-plane)
Traffic modification (mplane)
Data modification on a
network element
Compromise via
implementation flaw
Compromise via
management interface
Malicious insider
Theft of service
Vulnerab.
Likelihood
Factor
3
2
2
2
Impact
4
4
24
16
3
3
2
2
2
3
1
2
30
4
4
2
5
5
5
3
2
3
2
2
3
3
3
4
Risk
30
10
18
27
6
16
6
60
40
30
4.3.6 Charging
This section distinguishes between charging systems and the PCRF.
4.3.6.1 Charging Systems
The following picture shows Online and Offline Charging Systems (OCS and OFCS,
respectively) interacting with user plane entities of the EPC.
147
148
Threats
Flooding an interface
Crashing a network element
Eavesdropping
Unauthorized data access
Traffic modification
Data modification on a
network element
T7 Compromise via
implementation flaw
T8 Compromise via
management interface
T9 Malicious insider
T10 Theft of service
T1
T2
T3
T4
T5
T6
Likelihood
1
1
1
1
1
Vulnerab.
Factor
2
2
3
1
3
Impact
4
4
4
4
5
10
10
3
4
2
5
5
5
2
2
2
2
2
Risk
8
8
12
4
15
20
10
30
40
20
149
Threats
T1 Flooding an interface
T2 Crashing a network element
T3 Eavesdropping
T4 Unauthorized data access
T5 Traffic modification
T6 Data modification on a
network element
T7 Compromise via
implementation flaw
T8 Compromise via
management interface
T9 Malicious insider
T10 Theft of service
Likelihood
1
1
1
1
1
Vulnerab.
Factor
3
3
3
2
3
Impact
4
4
4
4
5
10
15
4
4
2
5
5
5
2
2
2
2
2
Risk
12
12
12
8
15
20
10
40
40
20
150
T1
T2
T3.1
T3.2
T4
T5.1
T5.2
T6
T7
T8
T9
T10
Threats
Likelihood
Flooding an interface
4
Crashing a network element
3
Eavesdropping (control
plane)
2
Eavesdropping (user plane)
2
Unauthorized data access
2
Traffic modification (c-plane)
1
Traffic modification (u-plane)
1
Data modification on a
network element
1
Compromise via
implementation flaw
3
Compromise via
management interface
3
Malicious insider
1 - 2
Theft of service
1
Vulnerab.
Factor
2
2
Impact
4
4
1
2
1
1
2
3
3
3
4
3
2
2
Risk
32
24
6
12
6
4
6
30
4
4
1
5
5
5
30
10
60
40
5
151
Control plane based methods, where control traffic between the mobile and access
network elements is exchanged in order to perform the positioning.
User plane based methods, where a user plane connection is established between
the mobile and a server in the network which is used to exchange information
facilitating the positioning.
152
153
Threats
Vulnerab.
Factor
Impact
Risk
T1
Flooding an interface
24
T2
18
T3
Eavesdropping
18
T4
18
T5
Traffic modification
T6
Data modification
T7
Compromise
implementation flaw
via
2
24
Compromise
management interface
via
2
24
8 - 32
10
T8
T9
Malicious insider
- 2
2
154
3GPP has specified this interface, as well as the functions needed to transport the short
messages through the mobile network. However, the SMSC and its various possible
interfaces (to external SMEs or other SMSCs) are not covered by 3GPP specifications. A
number of protocols exist e.g. for transmitting short messages from external SMEs to
SMSCs, e.g. SMPP (Short Message Peer to Peer).
In 2G/3G networks, if the mobile is attached to the CS domain only, short messages are
transported via the MSC to which the mobile is attached, using CS radio channels on the
radio interface. If the mobile is also attached to the PS domain, the transport via SGSN and a
PS radio channel is preferred because of higher efficiency. For 4G networks including a CS
core, 3GPP has specified an interface between MSC and MME and a procedure to transmit
short messages via the MSC and MME (i.e. using the control plane of the EPS).
Since 3GPP release 7, it is also possible to transmit short messages via the IMS. For this a
IP-SM-GW (IP Short Message Gateway) interconnects on the one side to the SMSGMSC/SMS-IWMSC, on the other side to the IMS control plane, i.e. one of the SIP servers
inside the IMS. With this setup, UEs (mobile as well as fixed terminals) attached to the IMS
can send and receive short messages via SIP messages, and need not be connected to a
3GPP access network at all (the UEs may connected to the IMS of the mobile network using
a non 3GPP access network, e.g. the Internet).
The following figure illustrates the network architecture for the SMS.
37
Note that in this document, the abbreviation SMS stands for short message service and is NOT
used to denote a short message transmitted via the SMS.
Copyright 2012 ASMONIA consortium. All rights reserved.
155
Threats
Vulnerab.
Factor
Impact
Risk
T1
Flooding an interface
36
T2
24
T3
Eavesdropping
- 3
- 18
T4
- 3
- 18
T5
Traffic modification
- 3
- 6
T6
Data modification
- 3
- 6
T7
Compromise
implementation flaw
via
3
45
Compromise
management interface
via
3
45
T8
T9
Malicious insider
T10
Theft of service
- 2
3
10
- 40
45
157
158
Threats
T1 Flooding an interface
T2 Crashing a network element
T3 Eavesdropping
T4 Unauthorized data access
T5 Traffic modification
T6 Data modification on a
network element
T7 Compromise via
implementation flaw
T8 Compromise via
management interface
T9 Malicious insider
T10 Theft of service
Likelihood
1
1
3
3
1
Vulnerab.
Factor
2
2
2
2
2
Impact
4
4
3
3
5
20
30
3
4
2
5
5
5
3
2
2
2
2
Risk
8
8
18
18
10
30
10
45
40
20
159
Eavesdropping
Eavesdropping on cached (and subsequently delivered) HTTP traffic would possibly not be
performed in the environment of the web proxies but in other parts of the networks that are in
closer proximity to the user(s) to eavesdrop on. Therefore these attacks rarely occur in
current operator networks (likelihood: "2"). Large parts of the traffic-in-question are
unencrypted, but on the other hand an attacker would need access to the traffic path of the
proxies which can be considered unlikely (overall estimation of the vulnerability factor "2"). As
HTTP traffic served to users usually is public anyway the impact would be small ("2") as well.
T4 Unauthorized access to sensitive data on a network element via leakage
The vast majority of data processed and delivered by the web proxies is public anyway so
there's only a very small ("1") likelihood an attacker will try to get hold of the data stored on
web proxies. Under certain circumstances (e.g. knowing an exact path or directory) it might
be possible to retrieve some data as in general web proxies do not implement strict access
controls. This leads to an estimate of the vulnerability factor of "3". Given the nature of the
data the impact would be very small ("1").
T5 Traffic modification
Modifying parts of the outbound network traffic of a web proxy (that is the traffic leaving the
proxy, potentially destined to users) might serve as an attack vector for large scale malware
spread (e.g. if an attacker can modify frequently accessed files like an update of a popular
desktop component). This type of attack does actually happen in operator environments
(likelihood "3"), however for the attack to be successful an attacker would need access to the
traffic path of the proxies (see also discussion of T3). It should be noted that there's no
integrity protection in place for large parts of HTTP based traffic (namely executables) which
leads to an overall vulnerability factor of "3".
The impact could be severe, not so much for the operator itself but potentially for a large
number of users (whose systems/terminals, being parts of a then-botnet, might in turn attack
the operator). Therefore, the impact is rated as "4".
T6 Data modification on a network element
This threat can be compared to T5 "Traffic modification". We estimate the difficulty of getting
("write") access to a web proxy to be roughly the same as to get into the traffic path so
overall the same values can be applied.
T7 Compromise of a network element via a protocol or application implement. flaw
In the last years only few vulnerabilities leading to a system compromise have been
discovered in current TCP/IP stacks and HTTP processing entities (a notable exception
might be the so-called Sockstress vulnerabilities disclosed in 2009). The likelihood of
associated attacks is thus estimated medium ("3") taking into account this type of attack still
happens, albeit not too often. While the web proxies' IP stacks and HTTP processing parts
can be considered to be mature and stable those systems are publicly reachable, at least to
some degree (attacker might initiate a data connection from a terminal, fetching data from an
attacker-controlled system which is then processed by an intermediate web proxy). This
gives an overall vulnerability factor of "3". A successful compromise might not directly impact
revenue-generating services of the operator but it would enable an attacker to modify the
delivered data (see above) which leads to an impact estimate of "4".
160
Threats
T1 Flooding an interface
T2 Crashing a network element
T3 Eavesdropping
T4 Unauthorized data access
T5 Traffic modification
T6 Data modification on a
network element
T7 Compromise via
implementation flaw
T8 Compromise via
management interface
T9 Malicious insider
T10 Theft of service
Likelihood
2
2
2
1
3
Vulnerab.
Factor
2
2
2
3
3
Impact
2
3
2
1
4
Risk
8
12
8
3
36
36
36
3
1
1
2
4
1
4
4
2
24
16
2
161
163
T1
T2
T3.1
T3.2
T4
T5.1
T5.2
T6
T7
T8
T9
T10
Threats
Flooding an interface
Crashing a network element
Eavesdropping (control
plane)
Eavesdropping (user plane)
Unauthorized data access
Traffic modification (c plane)
Traffic modification (u plane)
Data modification on a
network element
Compromise via
implementation flaw
Compromise via
management interface
Malicious insider
Theft of service
Likelihood
4
3
Vulnerab.
Factor
2
2
Impact
3
4
Risk
24
24
4
3
2
5
3
32
24
12
15
9
2
2
3
1
1
4
4
2
3
3
30
4
1
1
2
4
2
5
5
5
40
20
10
8 -
3 -
164
165
166
Threats
T1 Flooding an interface
T2 Crashing a network element
T3 Eavesdropping
T4 Unauthorized data access
T5 Traffic modification
T6 Data modification on a
network element
T7 Compromise via
implementation flaw
T8 Compromise via
management interface
T9 Malicious insider
T10 Theft of service
Likelihood
3
2
1
4
2
Vulnerab.
Factor
2
2
5
2
3
Impact
3
4
2
3
4
Risk
18
16
10
24
24
20
4
1
1
2
4
2
5
5
5
40
20
10
167
Takeover the UI in order to trick the user into installing the malicious application of the
attacker (cf. Chapter 4.1.2.4.8.2.1)
Enable the automatic initiation of the malicious application after its installation. This
makes sure that the attackers code will actually run. (cf. Chapter 4.1.2.4.8.2.2)
Secure that the attacker's application will also be running after the end-user's device
has been rebooted (cf. Chapter 4.1.2.4.8.2.3)
Covertly jailbreak the end-user's device by downloading jailbreak code (e.g., using
publicly available jailbreak code for the respective device) via the previously
established bi-directional communication channel (cf. Chapter 4.1.2.4.8.2.5)
Using the combination of these attacks allows to install arbitrary code on the end-user's
device, i.e., malicious code which could be botnet malware.
The botnet malware could be capable of accessing the SMS component of the system which
can effectively be used to suppress incoming SMS. With the suppression deployed, SMS
could be used as a covert communication channel between the command and control (C&C)
server of the botnet the malware belongs to and the malware itself.
Of course there exist a variety of other way to facilitate a C&C mechanism for smart phone
malware, e.g., using simple HTTP, IRC, or upcoming new forms of instant messaging
available for smart phones.
Exemplary features of the malware might include:
Advertise the malicious app to other users from the contacts of the user.
Obtain contact information of the user and the users in the contact database.
168
Monitor network traffic of the device for non-secured traffic in order to obtain
credentials of the user.
Nowadays a convenient way to spread malware is using the official markets of the different
smart phone operating system38 or unofficial 3rd party markets [Zhou2012]. As we have seen
in Chapter 4.1.2.4.9 the spreading mechanism is less effective the more tightly the market is
controlled. However, besides the official markets, there exist an abundance of alternative
sources for software on the Internet. Typically, installing application from these "less trusted"
sources entails disabling a security feature which prevents the users from doing so, i.e., on
Android.
38
http://www.zdnet.com/blog/security/google-android-market-malware-problem-escalates/9001
169
http://blogs.mcafee.com/mcafee-labs/spitmo-vs-zitmo-banking-trojans-target-android
170
171
With the low end HLR, approximately 11.750 23.500 infected mobiles (depending
on the initial load of regular traffic) would reduce the throughput of legal transactions
by more than 90%.
With the high end HLR, approximately 141.000 infected mobiles would reduce the
throughput of legal transactions by more than 75%.
While it is out of the scope of this document to evaluate this work and these numbers in more
detail, we still believe that they indicate a very significant truth: Mobile botnets acting against
an HLR as described above may well be able to reduce the availability of the network
172
173
6 Conclusion
The assessments documented in chapter 4.1 show that mobile terminals will be increasingly
endangered by a variety of threats. The vulnerability of mobile terminals against many of
these threats is high, and successful attacks have often a high impact on the device. A
successful attack on a single device, even when resulting in compromising the device and
abusing it consequently to attack the network, has no significant impact on the network itself,
assuming the network considers terminals as potentially malicious anyway and uses
appropriate security controls against malicious terminals.
Although there are quite different types of terminals, there is a common trend: mobile
terminals will become more and more powerful, but also more and more complex and
therefore also more prone to flaws and security gaps. As we have seen in the previous
sections, all platforms currently have a multitude of vulnerabilities. This is very likely to hold
true for future revisions of these platforms. On smart phones, such vulnerabilities will be
exploited by malware, which comes mostly in the form of malicious functions that are part of
attractive applications which are installed by unsuspecting users. Successful compromise by
such malware seems very easily possible, with severe impact on the user of the smart
phone, whose data may be stolen and who may be impersonated in using expensive
services or performing fraudulent and criminal actions.
In particular, malware will turn mobile devices into bots. Large botnets of mobile devices
have not occurred yet, but the trend has become obvious. The mobile devices offer an
always-on connection which is very useful for the steady availability of mobile bots. Once a
mobile botnet has a sufficiently large size it may endanger not only the users, but also the
mobile network. Countering the spreading of malware is a difficult task because of the
variety of vulnerabilities and the possibilities to exploit them.
Concepts that allow operators or vendors to exhibit a considerable amount of control on
mobiles may be helpful in keeping the devices secured. However, it is assumed that such
concepts will never be perfect, and evading this kind of control will be possible. Users are
expected to try to turn off such control functions, in order to make full and unrestricted use of
the capabilities of their devices. So security concepts for mobile terminals continue to be a
very relevant field for future research.
The risk assessments for network elements (documented in chapters 4.2 to 4.5) can be
summarized according to different criteria. Here, we will give evaluations on a per threat and
on a per asset basis. In both cases, we will compare the risk, which is the main target of this
document, but also have a look at the vulnerability factor, which reflects the "security level" of
a component, and is the obvious target for any efforts to reduce a risk (compare section
2.2.3).
There may be different ways to compute average risk values. Here, taking into account that
risks are computed as a product of three values in the range from 1 to 5, the cubed
arithmetic mean of the 3rd roots of the risk values has been computed as an average risk
value. (In case of ranges, the upper border was selected.) However, it turns out that other
approaches do not yield significantly different results with respect to the ranking of risks. It
should be noted that the figures given in the tables below do not have an absolute meaning,
but only have the purpose to derive a ranking. Moreover, due to the inherent inexactness in
the risk assessment, the tables should be interpreted as showing the trend rather than a
strict absolute order.
174
Threat
Vuln.
Risk
3,1
39
T9 Malicious insider
4,0
33
2,4
26
T1
Flooding an interface
2,7
19
T2
2,3
16
1,9
15
2,1
15
2,0
13
T4
1,6
10
1,8
10
2,1
T6
1,6
Table 29: Ranking of the Different Threat Categories According to the Risk
It shows that the threats causing loss of control of network elements (compromising by
attackers or abuse be malicious insiders) pose by far the most significant risks to the mobile
network. Note that the malicious insider threat is even exacerbated when including also
malicious insiders at arbitrary positions within the supply chain (e.g. equipment developers
implementing malicious functions like backdoors). This result is not too surprising, as the
consequence of losing control can be loss of all three essential security properties:
availability, integrity and confidentiality.
Next in the ranking are the DoS attacks (flooding and crashing), followed by theft of service,
loss of confidentiality and loss of integrity. It can be noted, that a ranking according to the
vulnerability factor would show some deviations from the ranking according to the risk. E.g.,
when looking at threat T5.2, one sees that the user plane traffic is of somewhat "medium"
vulnerability against modification; however, the threat poses only a very low risk because of
its low impact (on the network operator) and the low likelihood of attacks trying to modify user
plane traffic.
The threat showing the highest vulnerability factor is the malicious insider threat (T9).
Several measures may be taken to mitigate this threat. Many of these are of organizational
nature rather. However, there are also technical measures which can help. E.g., to prevent
malicious network operator staff from changing the functions of network elements by
modifying the software on a network element, e.g. install additional programs, software
integrity protection mechanisms can be used. This is one of the topics that are explored in
the ASMONIA project (see e.g. [ASMONIA_D21]; further work on this area within the
ASMONIA project is still in progress and will be published on http://www.asmonia.de).
Copyright 2012 ASMONIA consortium. All rights reserved.
175
Table 30: Ranking of the Different Types of Network Elements According to the Risk
This ranking puts the HeNB on the first rank, as the component with the highest risk. A very
significant risk is also associated to the other base stations, i.e. the relay node and the
176
177
References
[3GPP_TS21133]
[3GPP_TS23271]
[3GPP-TS24007]
[3GPP_TS24301]
[3GPP_TS29060]
[3GPP_TS29274]
[3GPP_TS29281]
[3GPP_TS33120]
[3GPP_TS33210]
[3GPP_TS33220]
[3GPP_TS33320]
[3GPP_TS33401]
[3GPP_TR33816]
[3GPP_TR33820]
[3GPP_TR33821]
[3GPP_TS36300]
[3GPP_TS36305]
[3GPP_TS36410]
178
[3GPP-TS36420]
[3GPP-TS36423]
[3GPP_TS36455]
[3GPP_TS44006]
[Anderson1994]
[AndroidDev]
[APPDEV11]
[ASMONIA_D11]
[ASMONIA_D21]
[ASMONIA_D32]
[ATZ]
ARM TrustZone:
http://www.arm.com/products/processors/technologies/trustzone.
php
[Barkan2008]
[Biryukov2003]
[Blanchard2000]
[Bornstein2008]
179
[Chin_2011]
[CL_2009]
[CM_BH2009]
[COFTA07]
[Dunkelman2010]
O. Dunkelman, N. Keller, and A. Shamir. A practical-time relatedkey attack on the kasumi cryptosystem used in gsm and 3g
telephony. In T. Rabin, editor, Advances in Cryptology - CRYPTO
2010, volume 6223 of Lecture Notes in Computer Science, pages
393410. Springer Berlin / Heidelberg, 2010.
[Ekdahl2003]
[ETSI_TS1021651]
[CF_ARS2009]
[Felt_1_2011]
[Felt_2_2011
[Gendrullis2008]
[Goldberg1998]
[Goldberg1998a]
[Goldberg1999]
[Golic1997]
180
[Hberath_2011]
[iOSSec]
[ISO13335-1]
International Standard ISO/IEC 13335-1 [Edition as of 2004-1115] "Information technology Security techniques
Management of information and communications technology
security Part 1: Concepts and models for information and
communications technology security management"
[ISO13335-4]
[ISO18028-1]
International Standard ISO/IEC 18028-1 [Edition as of 2006-0701] "Information technology. Security techniques. IT network
security. Part 1: Network security management"
[ISO27000]
[ISO27002]
[ISO27005]
[ISO27011]
[ISO27033-1]
International Standard ISO/IEC 27033-1 [Edition as of 2009-1215] "Information technology Security techniques Network
security Part 1: Overview and concepts"
[ISO31000]
[ISO31010]
[ISO73:2009]
181
[ITU_E408]
[ITU_X805]
[Kambourakis2010]
[Keller2001]
[Madlmayr2008]
[MA_2009]
[MeeGo]
MeeGo: http://meego.com/
[MO_2009]
[MSSF]
[NISTbluetooth2008]
[NIST_SP800-30]
[Nohl2010]
[OL_SC2011]
[OMA_SUPLv3]
[Pagliusi2002]
182
[Rao2002]
[SH200c4]
[Shin_2010]
Wook Shin et al., "A Small But Non-negligible Flaw in the Android
Permission Scheme", IEEE POLICY 2010
[Traynor08]
Patrick Traynor et al., Exploiting open functionality in SMScapable cellular networks, Journal of Computer Security 16
(2008), IOS Press
Online at http://www.cse.psu.edu/~tlp/paper/JCS308.pdf (last
looked up 24.02.2012)
[Traynor09]
[ValsWindows7]
[Vedder1998]
[Wang2010]
[WMCE6]
[WP7DEV]
[Xenakis2004]
[Xenakis2006]
[Yousef2004]
183
184
Abbreviations
2G
3G
4G
3GPP
AAA
ACL
AES
AKA
AP
ARFCN
ASLR
ASMONIA
ATM
AuC
BSC
BSS
BTS
CBC
CDMA
CPU
CS
CSCF
DoS
DDoS
DHCP
DNS
DSMIP
DSP
EAP
EDGE
EEPROM
EIR
eNB
EPC
EPS
E-SMLC
ESP
E-UTRAN
FR
FTP
FPGA
GERAN
GGSN
GMLC
GPRS
GPS
GPU
GRE
GRX
2.Generation ( GSM)
3.Generation ( UMTS)
4.Generation
3.Generation Partnership Project
Authentication, Authorization, Accounting
Access Control List
Advanced Encryption Standard
Authentication and Key Agreement
Application Protocol
Absolute Radio-Frequency Channel Number
Address Space Layout Randomization
Attack analysis and Security concepts for Mobile Network Infrastructures,
supported by collaborative Information exchAnge (a project name)
Asynchronous Transfer Mode
Authentication Center
Base Station Controller
Base Station System
Base (Transceiver) Station
Cell Broadcast Centre
Code Division Multiple Access
Central Processing Unit
Circuit Switched
Call/Session Control Function
Denial of Service
Distributed Denial of Service
Dynamic Host Configuration Protocol
Domain Name System
Dual Stack Mobile IP
Digital Signaling Processor
Extensible Authentication Protocol
Enhanced Data Rates for GSM Evolution
Electrically Erasable Programmable Read-Only Memory
Equipment Identity Register
E-UTRAN NodeB
Evolved Packet Core
Evolved Packet System
Evolved Serving Mobile Location Centre
Encapsulating Security Payload
Evolved UTRAN
Frame Relay
File Transfer Protocol
Field-Programmable Gate Array
GSM EDGE RAN
Gateway GPRS Support Node
Gateway Mobile Location Centre
General Packet Radio System
Global Positioning System
Graphics Processing Unit
Generic Routing Encapsulation
GPRS Roaming Exchange network
185
186
187
188
Revision History
Version
0.1
0.2
Date
2012-02-01
2012-02-17
1.0
2012-02-29
Description
Version for review by the ASMONIA Consortium
Update according to review comments from the ASMONIA
Consortium
Minor corrections, editorial rework
Released Version
189
190
The document then discusses how such threats apply to the following 3 parts of the system:
Radio interface;
Other part of the system;
Terminals and UICC/USIM.
This results in close to 50 distinguished threats, which are mostly still of a rather generic
nature and are described only shortly (see list of major and medium threats below more
detail is not given). In an annex focusing on active attacks on the radio interface, some
possible attacks are discussed on a more technical level.
In clause 7, the document lists the threats with "major or medium value" (according to a risk
assessment following a method described in an ETSI technical report [ETR332]). The list is
reproduced below.
T1a
T1b
T1c
T1d
T4a
T5b
T6e
T9a
T9b
T9d
T10a
T10c
T10d
T10e
Eavesdropping user traffic: Intruders may eavesdrop user traffic on the radio interface.
(MAJOR)
Eavesdropping signaling or control data: Intruders may eavesdrop signaling data or control
data on the radio interface. This may be used to access security management data or other
information which may be useful in conducting active attacks on the system.
Masquerading as a communications participant: Intruders may masquerade as a network
element to intercept user traffic, signaling data or control data on the radio interface. (MAJOR)
Passive traffic analysis: Intruders may observe the time, rate, length, sources or destinations
of messages on the radio interface to obtain access to information. (MAJOR)
Masquerading as another user: An intruder may masquerade as another user towards the
network.. The intruder first masquerades as a base station towards the user, then hijacks his
connection after authentication has been performed.
Eavesdropping signaling or control data: Intruders may eavesdrop signaling data or control
data on any system interface, whether wired or wireless. This may be used to access security
management data which may be useful in conducting other attacks on the system.
Manipulation of the terminal or USIM behavior by masquerading as the originator of
applications and/or data: Intruders may masquerade as the originator of malicious applications
and/or data downloaded to the terminal or USIM.
Masquerading as a user: Intruders may impersonate a user to utilise services authorised for
that user. The intruder may have received assistance from other entities such as the serving
network, the home environment or even the user himself. (MAJOR)
Masquerading as a serving network: Intruders may impersonate a serving network, or part of
an serving networks infrastructure, perhaps with the intention of using an authorised users
access attempts to gain access to services himself.
Misuse of user privileges: Users may abuse their privileges to gain unauthorised access to
services or to simply intensively use their subscriptions without any intent to pay. (MAJOR)
Use of a stolen terminal and UICC: Intruders may use stolen terminals and UICCs to gain
unauthorised access to services. (MAJOR)
Use of a stolen terminal: Users may use a valid USIM with a stolen terminal to access
services. (MAJOR)
Manipulation of the identity of the terminal: Users may modify the IMEI of a terminal and use a
valid USIM with it to access services. (MAJOR)
Integrity of data on a terminal: Intruders may modify, insert or delete applications and/or data
stored by the terminal. Access to the terminal may be obtained either locally or remotely, and
may involve breaching physical or logical controls.
191
Integrity of data on USIM: Intruders may modify, insert or delete applications and/or data
stored by the USIM. Access to the USIM may be obtained either locally or remotely.
Confidentiality of authentication data in the UICC/USIM: Intruders may wish to access
authentication data stored by the service provider, e.g. authentication key. (MAJOR)
TR 33.821: "Rationale and track of security decisions in Long Term Evolved (LTE) RAN
/ 3GPP System Architecture Evolution (SAE)"
The document is a report only, not a specification. Such documents may be a collection of
ideas rather than an elaborated study result.
Clause 5 "Threats" discusses threats and possible countermeasures informally. Different
contributors seem to have contributed and maintained their individual style (e.g. scope of the
threat, structure of the discussion, level of detail). Obviously, this is by no means complete
there are many more potential threats.
Threats to UE:
IMSI catching
UE tracking
Tracking User temporary ID
User tracking due to Linkability of IMSI/TMSI and RNTI
User tracking due to IP-address linkability towards TMSI/IMSI/RNTI
Tracking based on new and old RNTI mapping
Tracking based on handover signaling messages
Tracking based on cell level measurement reports
Tracking based on packet sequence numbers
Tracking based on UEs static IEEE MAC (Medium Access Control) address
Forced Handover (to a compromised eNB)
Forced Handover (to a legacy radio access technology)
Unprotected bootstrap and multicast signaling
broadcast of system information
192
193
Each threat is discussed in a fixed form, describing prerequisites, the way how to attack,
probability, the impact (considering 3 "assets": H(e)NB, user, operator) and mitigation
methods.
A "threat matrix" shows probability, impact and "risk level" as numbers between 0 and 1
which are also mapped to classes like "high" "medium" "low".
The document states that the results must be considered as preliminary.
The threats are discussed in an informal way. Partly they are very short, like 5 lines of text or
less. In some cases Editors Notes state that the discussion is incomplete. Also, there is no
claim of completeness of the list of threats.
This threat analysis was used as input for specifying the security architecture for the H(e)NB,
which takes into account and as far as possible and reasonable - mitigates these threats.
195